jbufu / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
98 stars 58 forks source link

ConsumerManager.verifyDiscovered1 is not giving enough details in VerificationResult._statusMsg #203

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
In relation to my previous reported problem #202,

when a problem like that happens, it's very difficult to get any meaningful 
diagnosis out of openid4java. The only error message we get is "Discovered 
information verification failed." and it does not go into the details of which 
aspect has failed.

In OpenID, relying party has no secret to hide from the person who's trying to 
authenticate. So as much diagnostic information should be given to the status 
message as possible, to diagnose configuration issues in the server/client, etc.

For example, in ConsumerManager.verifyDiscovered1, instead of reporting errors 
to the logger, those error messages should be primarily put into 
VerifiedResult._statusMsg, which is where it belongs.

In the "stateless mode / bare response verification" mode, the 
verifyDiscovered1 method should also report what openIDs it has discovered and 
why it rejected it when it fails to find a matching one.

It would have made a troubleshooting like issue #202 very easy. As it stands 
right now, it took us to attach a debugger and trace through the code to tell, 
which would have been completely impractical if this had happened at some 
remote site.

Original issue reported on code.google.com by kohsuke....@gmail.com on 4 Dec 2013 at 4:02